Ransomware is having a heyday.
Increasingly, news about companies and their data being stolen and systems being hacked has made its way into mainstream media. With the growth of ransomware payouts increasing nearly 200% in 2021 and exceeding $1.2B, as reported by the United States Treasury Department’s Financial Crimes Enforcement Network (FinCEN), it should come as no surprise. What does seem odd is that the continuous growth (CAGR of 11% between 2022 – 2026 according to Gartner) in cybersecurity spending doesn’t seem to be making a dent in the success of ransomware’s perpetrators. It could be the result of the shift in ransomware’s preference for the exploitation of vulnerabilities on Internet-facing systems as the most common initial access vector, replacing the historic favorite: credential-based theft. Hopefully the recent prioritization of ransomware by cybersecurity leaders will net a positive impact on the threat landscape.
You might be asking yourself “What is ransomware?”
Ransomware is a family of malicious software (malware) designed to encrypt a target’s data, rendering it inaccessible, and demand payment for its decryption in order for access to be restored. If not paid, these malicious cyber actors threaten to sell or leak data to the public or competitors. Adversaries may also attempt to extort more money from victims by promising to not alert the authorities of a successful attack. And notably, the advent of cryptocurrency has further emboldened cyber criminals leveraging ransomware by providing them an untraceable means of monetizing their attacks, while the growth of initial access brokers (criminals who obtain and sell illegitimate access to corporate networks) has greatly expanded the population of cyber criminals capable of executing successful ransomware attacks.
There are a few main avenues for ransomware’s initial access.
For a ransomware attack to be successful it first needs to find a way into an organization’s network. As we mentioned earlier, exploitation of vulnerabilities is ransomware’s new favorite initial access avenue. That said, phishing and malicious email are two other widely exploited mediums for gaining a foothold into the target’s environment. Let’s take a look at each to understand why these vectors are so prized and how they’re leveraged.
- The exploitation of vulnerable software exposed on the Internet requires relatively low effort and no interaction from a human (unlike phishing and malicious email), so it’s an understandably inviting attack vector. Continuous scanning of Internet systems is cheap and fast, and when a vulnerability is detected, all that’s left to do is pick an existing exploit to take advantage of it. On average, it only takes five days from vulnerability disclosure for a resultant malicious code to be crafted, meaning attackers don’t have to wait long if they’ve found a vulnerability without an exploit. Coupled with an average vulnerability remediation cadence of 102 days, even if it takes a few extra days to craft, those looking to gain access are still sitting pretty.
- Credential theft is another favorite of ransomware groups due to the ease of purchasing leaked credentials, relative ease of convincing humans to click on links and subsequently type in their credentials (known as phishing), and to a lesser extent, bruteforce attempts to target weak passwords. No amount of training can guarantee a human failure rate of 0%, so as long as there’s a password to steal, bad actors will try, and often enough, succeed.
- Malicious software distributed via email is another initial access vector for ransomware operators, albeit less favored than the others due to its general reliance on human interaction. When bad actors can trick users to download the malicious software by clicking a link or opening an attachment, it will attempt to execute its payload to gain a foothold on that user’s device.
CERT NZ’s ransomware initial access diagram does a great job of presenting this information graphically.
Preventing the next ransomware attack
Preventing the next ransomware attack is a multi-faceted endeavor. By following some best practices, to the greatest extent possible given available resources, organizations can significantly reduce the risk of bad actors being successful in gaining a foothold into their environment. We’ll cover some concrete steps that can help defend the favorite initial access vectors we detailed in the last section.
- Patching. Making sure applications and operating systems are always up-to-date with the latest security patches is the best way to ensure hackers are unable to exploit the software’s vulnerabilities. With the number of unpatched vulnerabilities on the typical corporate network measured in the thousands, this is admittedly easier said than done. Fortunately, new technologies and tools built to quell the fear that patching too quickly is risky and make auto-remediation safe are beginning to come to market.
- Vulnerability Scanning. Knowing what endpoints exist in the network, what software and operating system versions they are running, and what vulnerabilities affect them is, of course, crucial to patching.
- Multi-Factor Authentication (MFA). Enabling MFA for all services to the extent possible will greatly reduce the risk of attackers accessing systems for which they’ve already been successful in obtaining user credentials.
- Anti-Virus/Anti-Malware. Ensuring both the software and signatures are kept up-to-date are critical in identifying the presence of – and containing – malicious software on all systems – hopefully, before they’re able to begin encrypting files.
- Cybersecurity Threat Awareness Training. Although this is the least technical control on the list, regularly conducting training across the organization that includes guidance on identifying and reporting suspicious activity can teach users how to identify potentially malicious email. Conducting simulated (read, benign) phishing campaigns to test users can help reinforce these behaviors.
A ransomware recovery plan is a key component in a comprehensive ransomware strategy.
The most effective and quickest way to recover from a ransomware infection is to restore the affected devices from backups. For this to be a viable option, backups without ransomware infections must be available prior to system compromise. As such, it’s extremely important to maintain offline and regularly-updated backups of your data, and to test restoration procedures regularly. To assist with conducting restoration procedures regularly, create and maintain a general incident response plan. There are many additional best practices and nuances for effectively recovering from a ransomware attack. Both CISA and NIST provide guidelines that go into great detail, ensuring the broadest audience has a solid foundation for dealing with ransomware. These certainly aren’t fool-proof means of eliminating the leverage ransomware groups will have (they can still release your sensitive data); however, they can limit the operational impact of an attack.
Ransomware has plagued organizations for years, and as a staple in the cybercriminal arsenal, it continues to grow in volume and sophistication. Even as security leaders and practitioners shift their focus and spend on preventative measures, the threat landscape is ever-evolving and the barrier for entry is lowering, allowing for lesser skilled adversaries to participate. To maintain the greatest likelihood of protecting assets, organizations must be vigilant. Understanding the latest threats and exposure present across all devices, and then adapting security strategies as threats continue to change, is critical in preventing the next ransomware attack.
Learn how trackd is enabling remediation teams to intelligently eliminate vulnerabilities in the enterprise by requesting early access below.